NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e19eb8c29c
kumquat-buildroot/package/openssh/Config.in
Romain Naour dd244feb37 package/openssh: add libxcrypt optional dependency for sshd 
When glibc was bumped to version 2.39 in commit
b5680f53d6 it removed the deprecated
libcrypt support.

As glibc's libcrypt was providing sshd's libcrypt dependency this broke
the sshd password authentification at runtime using glibc version 2.39.

  # sshpass -p testpwd ssh -oStrictHostKeyChecking=no localhost /bin/true
  Permission denied, please try again.

Without libcrypt, OpenSSH >= 6.2 fall back to using openssl's DES_crypt
function on platorms that don't have a native crypt() function [1].

Note that DES_crypt is deprecated since openssl 3.0 [2] [3].

"Use of the low level DES functions has been informally discouraged for a
 long time. We now formally deprecate them.

 Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex,
 EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt
 functions."

Also DES_crypt is provided by openssl only if
BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is enabled. Otherwise crypt() is
never defined:

  sd-compat.a(xcrypt.o): in function `xcrypt':
  xcrypt.c:(.text+0x48): undefined reference to `crypt'

It's not clear why the password authentification fail with openssl's
DES_crypt but since it's deprecated we use libxcrypt to provide
a working crypt() function for glibc based toolchains.

[1] https://github.com/openssh/openssh-portable/blob/V_9_7/openbsd-compat/xcrypt.c#L57
[2] c6fec81b88
[3] https://www.openssl.org/docs/man3.2/man3/DES_crypt.html

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/6623402147

Signed-off-by: Romain Naour <romain.naour@smile.fr>
2024-04-30 23:00:24 +02:00

44 lines
1011 B
Plaintext
Raw Blame History

config BR2_PACKAGE_OPENSSH
bool "openssh"
depends on BR2_USE_MMU # fork()
select BR2_PACKAGE_OPENSSL
select BR2_PACKAGE_ZLIB
help
A free version of the SSH protocol suite of network
connectivity tools. The standard 'ssh', 'sshd', 'scp', and
friends.
http://www.openssh.com/
if BR2_PACKAGE_OPENSSH
config BR2_PACKAGE_OPENSSH_CLIENT
bool "client"
default y
help
Client programs: ssh, scp, sftp, ssh-agent, ssh-add,
ssh-copy-id.
config BR2_PACKAGE_OPENSSH_SERVER
bool "server"
default y
select BR2_PACKAGE_LIBXCRYPT if BR2_TOOLCHAIN_USES_GLIBC
help
Server programs: sshd, sftp-server
config BR2_PACKAGE_OPENSSH_KEY_UTILS
bool "key utilities"
default y
help
Key utilities: ssh-keygen, ssh-keyscan.
config BR2_PACKAGE_OPENSSH_SANDBOX
bool "use sandboxing"
default y
help
Use sandboxing for extra privilege protection of processes.
This is normally preferable, but may cause seccomp problems
for certain combinations of C libraries and kernel versions.
endif
Reference in New Issue View Git Blame Copy Permalink